Malware Analysis Report

2025-08-10 14:20

Sample ID 241108-sfefasvalb
Target CFXBypass.exe
SHA256 e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
Tags
discovery lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

Threat Level: Known bad

The file CFXBypass.exe was found to be: Known bad.

Malicious Activity Summary

discovery lumma stealer

Lumma Stealer, LummaC

Lumma family

Loads dropped DLL

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 15:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 15:03

Reported

2024-11-08 15:07

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe

"C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"

Network

N/A

Files

memory/2148-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

memory/2148-1-0x0000000000F60000-0x0000000000FF0000-memory.dmp

\Users\Admin\AppData\Roaming\msvcp110.dll

MD5 9bc424be13dca227268ab018dca9ef0c
SHA1 f6f42e926f511d57ef298613634f3a186ec25ddc
SHA256 59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2
SHA512 70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

memory/2148-6-0x00000000759B0000-0x0000000075A71000-memory.dmp

memory/2148-7-0x0000000074C20000-0x000000007530E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 15:03

Reported

2024-11-08 15:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3576 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe

"C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaddrermncomplai.shop udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 racedsuitreow.shop udp
US 8.8.8.8:53 defenddsouneuw.shop udp
US 8.8.8.8:53 deallyharvenw.shop udp
US 8.8.8.8:53 priooozekw.shop udp
US 8.8.8.8:53 pumpkinkwquo.shop udp
US 8.8.8.8:53 abortinoiwiam.shop udp
US 8.8.8.8:53 surroundeocw.shop udp
US 8.8.8.8:53 covvercilverow.shop udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3576-0-0x000000007520E000-0x000000007520F000-memory.dmp

memory/3576-1-0x0000000000920000-0x00000000009B0000-memory.dmp

memory/3576-2-0x0000000075200000-0x00000000759B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\msvcp110.dll

MD5 9bc424be13dca227268ab018dca9ef0c
SHA1 f6f42e926f511d57ef298613634f3a186ec25ddc
SHA256 59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2
SHA512 70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

memory/4376-12-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4376-9-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4376-14-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3576-15-0x0000000075200000-0x00000000759B0000-memory.dmp

memory/3576-13-0x0000000075200000-0x00000000759B0000-memory.dmp